But it’s not all roses. IT managers, who ultimately must serve these communities’ legitimate needs, are faced with some Mac-specific challenges.

The key to successful Mac management in the enterprise is recognition of its unique capabilities and knowing when not to treat it as just another Windows box.

Fortunately, as the Mac has doubled its enterprise presence over the last two years, it’s added new management options as well. Much of that growth occurred with Apple’s Mac OS X 10.5 Leopard OS, but a good deal of the credit goes to third-party tool vendors.

Your management perspective informs your Mac management strategy

Your best bet for handling Macs depends on your enterprise management perspective. Most organizations fall into one of three: strictly controlling, flexible based on user capability, and application-centric rather than platform-centric.

There’s a Mac management strategy for each option.

A Windows-centric management philosophy often aims to control every desktop and server at a very fine-grained level, using Windows Group Policy Objects and unified management console. The Mac can play in this arena, but only with third-party tools.

Windows’ strict management posture comes from the need to tightly enforce patch management and security policies to prevent virus and other intrusions, for which Windows has a famously large attack surface.

The scope of vulnerability for Macs is demonstrably much smaller, and thus Macs don’t necessarily require the same detailed control.

(However, the Mac does have its own security issues that you should understand.) Many organizations can take a looser approach to management for their Macs.

Case in point: An information technologist at a major Southern California municipality notes, “A small percentage of our users have Macs, but they’re power users, in the sense that they’re constantly reconfiguring their desktop environments.

They authenticate to our network via Active Directory just like Windows users and access the Internet via the same Windows ISA server firewall, but we have less need to control their specific applications compared to Windows users.

” It’s not a perfect world, but a workable one.”

The technologist continues, “We bought anti-virus for Macs, but haven’t had to deploy it because Macs aren’t that vulnerable if configured correctly.

“We don’t manage patches either, because users can self-manage and patches are less important to Macs from a security standpoint. We do have one issue with Mac FTP, which isn’t compatible with our Windows ISA proxy; we have to route that traffic through a separate firewall.”

Another tactic is to become OS-agnostic and manage applications rather than platforms. Occam Networks, a manufacturer of fiber-to-the-home infrastructure components, sees this path ultimately rendering desktop parochialism moot.

Ted Smith, the company’s information systems architect, describes Occam’s application management approach: “We offer users their choice of desktop — Mac, Unix, or Windows — and let them customize it the way they see fit.

“We employ platform-agnostic application delivery using Citrix and Windows Terminal Services, in which applications reside in our datacenter, not on the desktop.

“Apps like finance, ERP, CRM, and sales run remotely, totally transparently to desktop users. There are fewer security issues because you’re transporting all sensitive data over an encrypted tunnel. Who cares if a desktop blows up? Just give them a new one and they’re back working where they left off,” says Smith.

There are management tool sets for each of these three management perspectives. But all require that you exert some effort to understand the Mac’s unique capabilities to avoid managing them out of existence.

Windows-centric managers have rich tool sets from which to choose

The past two years have seen dramatic improvements to Mac OS X’s Windows management interoperability.

First, Mac OS X Leopard makes the Mac a player in the Windows Active Directory authentication scheme, via a plug-in that joins Macs to an ActiveDirectory domain using Windows-hosted credentials.

Both MP and GPO let you centrally control what printers, file shares, and other resources users can access, as well as enforce common security policies such as automatic logout, password-protected screen savers, removable media restrictions, network and proxy configuration, application protection, software updates, and preference locking.

Out of the box, however, MP and GPO don’t communicate. And Mac OS X lacks support for one critical Microsoft information interface: the Windows DFS (Distributed File System).

That’s where third-party tools come in. Two packages provide mapping services from GPO to MP: Thursby’s ADmitMac and Centrify’s DirectControl. Both have client-side components that replace Apple’s Active Directory plug-in, and both supplant Apple’s SMB file sharing with their own enhanced equivalents.

DirectControl has a more straightforward mapping of GPO to MP, and it stores that mapping within AD itself, while ADmitMac keeps mappings in a non-ActiveDirectory file server.

However, only ADmitMac’s file sharing includes full support for Windows DFS, which is a key requirement in many enterprise environments. Thursby also offers DFS support in its lightweight Dave file-sharing utility.

GPO propagation is just one aspect of Windows-centric administration. Others include asset tracking, patch management, and OS image generation and deployment.

It sports a customer service portal for user self-administration, in addition to a centralized admin console with an iPhone interface. Recon is a stripped-down version of Casper, with just the asset tracking, centralized console, and iPhone components.

This capability is central to any platform-agnostic desktop strategy where application, rather than device, management is the goal. LANDesk lets you distribute standardized OS images pre-configured for centrally hosted applications, à la Citrix.

Symantec is a less-known player in the Mac desktop asset tracking/deployment niche with its Altiris Client Management Suite, which hasn’t seen significant Mac enhancement since 2007.

The Altiris Inventory Solution for Mac performs hardware and software discovery and asset tracking, while its Deployment Solution performs OS imaging via Mac OS X Server in the same way LANDesk does.

For enterprises that don’t feel the need for Windows-based management, Apple’s native Mac OS X management tools offer nearly an equivalent level of control that can still integrate with Windows Active Directory authentication infrastructure.

In this management model, you use Mac OS X’s built in Active Directory plug-in for domain authentication and SMB support for file and printer sharing, but depend on Mac OS X’s Open Directory and Managed Preferences (MP) architectures for policy enforcement. You run one or more instances of Mac OS X Server, which provides MP controls in its Workgroup Manager interface.

You must manually synchronize user groups between ActiveDirectory and Open Directory, but then ActiveDirectory user accounts automatically populate their corresponding Open Directory groups.

Alternatively you can configure the Open Directory server as an ActiveDirectory “stub,” which eliminates the group synchronization chore but limits your MP choices to those that have a corresponding ActiveDirectory policy.

Apple’s Screen Sharing service provides a convenient remote control interface for Mac OS X support. Screen Sharing is essentially VNC under the covers, so you can readily share screens from a Windows box via free VNC clients such as TightVNC, although you lose some of Screen Sharing’s fancier features like scaling and autoscrolling.

Similarly, Apple’s Time Capsule provides a sophisticated centralized backup system, with users able to retrieve files at will through Mac OS X’s powerful Time Machine graphical browser.